1cabdff1aSopenharmony_ci/* 2cabdff1aSopenharmony_ci * This file is part of FFmpeg. 3cabdff1aSopenharmony_ci * 4cabdff1aSopenharmony_ci * FFmpeg is free software; you can redistribute it and/or 5cabdff1aSopenharmony_ci * modify it under the terms of the GNU Lesser General Public 6cabdff1aSopenharmony_ci * License as published by the Free Software Foundation; either 7cabdff1aSopenharmony_ci * version 2.1 of the License, or (at your option) any later version. 8cabdff1aSopenharmony_ci * 9cabdff1aSopenharmony_ci * FFmpeg is distributed in the hope that it will be useful, 10cabdff1aSopenharmony_ci * but WITHOUT ANY WARRANTY; without even the implied warranty of 11cabdff1aSopenharmony_ci * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12cabdff1aSopenharmony_ci * Lesser General Public License for more details. 13cabdff1aSopenharmony_ci * 14cabdff1aSopenharmony_ci * You should have received a copy of the GNU Lesser General Public 15cabdff1aSopenharmony_ci * License along with FFmpeg; if not, write to the Free Software 16cabdff1aSopenharmony_ci * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 17cabdff1aSopenharmony_ci */ 18cabdff1aSopenharmony_ci 19cabdff1aSopenharmony_ci#include "config.h" 20cabdff1aSopenharmony_ci#include "libavutil/avassert.h" 21cabdff1aSopenharmony_ci#include "libavutil/avstring.h" 22cabdff1aSopenharmony_ci 23cabdff1aSopenharmony_ci#include "libavcodec/avcodec.h" 24cabdff1aSopenharmony_ci#include "libavcodec/bytestream.h" 25cabdff1aSopenharmony_ci#include "libavformat/avformat.h" 26cabdff1aSopenharmony_ci 27cabdff1aSopenharmony_ci 28cabdff1aSopenharmony_citypedef struct IOContext { 29cabdff1aSopenharmony_ci int64_t pos; 30cabdff1aSopenharmony_ci int64_t filesize; 31cabdff1aSopenharmony_ci uint8_t *fuzz; 32cabdff1aSopenharmony_ci int fuzz_size; 33cabdff1aSopenharmony_ci} IOContext; 34cabdff1aSopenharmony_ci 35cabdff1aSopenharmony_ciint LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); 36cabdff1aSopenharmony_ci 37cabdff1aSopenharmony_ciint64_t interrupt_counter; 38cabdff1aSopenharmony_cistatic int interrupt_cb(void *ctx) 39cabdff1aSopenharmony_ci{ 40cabdff1aSopenharmony_ci interrupt_counter --; 41cabdff1aSopenharmony_ci return interrupt_counter < 0; 42cabdff1aSopenharmony_ci} 43cabdff1aSopenharmony_ci 44cabdff1aSopenharmony_cistatic void error(const char *err) 45cabdff1aSopenharmony_ci{ 46cabdff1aSopenharmony_ci fprintf(stderr, "%s", err); 47cabdff1aSopenharmony_ci exit(1); 48cabdff1aSopenharmony_ci} 49cabdff1aSopenharmony_ci 50cabdff1aSopenharmony_cistatic int io_read(void *opaque, uint8_t *buf, int buf_size) 51cabdff1aSopenharmony_ci{ 52cabdff1aSopenharmony_ci IOContext *c = opaque; 53cabdff1aSopenharmony_ci int size = FFMIN(buf_size, c->fuzz_size); 54cabdff1aSopenharmony_ci 55cabdff1aSopenharmony_ci if (!c->fuzz_size) { 56cabdff1aSopenharmony_ci c->filesize = FFMIN(c->pos, c->filesize); 57cabdff1aSopenharmony_ci return AVERROR_EOF; 58cabdff1aSopenharmony_ci } 59cabdff1aSopenharmony_ci if (c->pos > INT64_MAX - size) 60cabdff1aSopenharmony_ci return AVERROR(EIO); 61cabdff1aSopenharmony_ci 62cabdff1aSopenharmony_ci memcpy(buf, c->fuzz, size); 63cabdff1aSopenharmony_ci c->fuzz += size; 64cabdff1aSopenharmony_ci c->fuzz_size -= size; 65cabdff1aSopenharmony_ci c->pos += size; 66cabdff1aSopenharmony_ci c->filesize = FFMAX(c->filesize, c->pos); 67cabdff1aSopenharmony_ci 68cabdff1aSopenharmony_ci return size; 69cabdff1aSopenharmony_ci} 70cabdff1aSopenharmony_ci 71cabdff1aSopenharmony_cistatic int64_t io_seek(void *opaque, int64_t offset, int whence) 72cabdff1aSopenharmony_ci{ 73cabdff1aSopenharmony_ci IOContext *c = opaque; 74cabdff1aSopenharmony_ci 75cabdff1aSopenharmony_ci if (whence == SEEK_CUR) { 76cabdff1aSopenharmony_ci if (offset > INT64_MAX - c->pos) 77cabdff1aSopenharmony_ci return -1; 78cabdff1aSopenharmony_ci offset += c->pos; 79cabdff1aSopenharmony_ci } else if (whence == SEEK_END) { 80cabdff1aSopenharmony_ci if (offset > INT64_MAX - c->filesize) 81cabdff1aSopenharmony_ci return -1; 82cabdff1aSopenharmony_ci offset += c->filesize; 83cabdff1aSopenharmony_ci } else if (whence == AVSEEK_SIZE) { 84cabdff1aSopenharmony_ci return c->filesize; 85cabdff1aSopenharmony_ci } 86cabdff1aSopenharmony_ci if (offset < 0 || offset > c->filesize) 87cabdff1aSopenharmony_ci return -1; 88cabdff1aSopenharmony_ci if (IO_FLAT) { 89cabdff1aSopenharmony_ci c->fuzz += offset - c->pos; 90cabdff1aSopenharmony_ci c->fuzz_size -= offset - c->pos; 91cabdff1aSopenharmony_ci } 92cabdff1aSopenharmony_ci c->pos = offset; 93cabdff1aSopenharmony_ci return 0; 94cabdff1aSopenharmony_ci} 95cabdff1aSopenharmony_ci 96cabdff1aSopenharmony_ci// Ensure we don't loop forever 97cabdff1aSopenharmony_ciconst uint32_t maxiteration = 8096; 98cabdff1aSopenharmony_ciconst int maxblocks= 50000; 99cabdff1aSopenharmony_ci 100cabdff1aSopenharmony_cistatic const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL; 101cabdff1aSopenharmony_ci 102cabdff1aSopenharmony_ciint LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 103cabdff1aSopenharmony_ci const uint64_t fuzz_tag = FUZZ_TAG; 104cabdff1aSopenharmony_ci uint32_t it = 0; 105cabdff1aSopenharmony_ci AVFormatContext *avfmt = avformat_alloc_context(); 106cabdff1aSopenharmony_ci AVPacket *pkt; 107cabdff1aSopenharmony_ci char filename[1025] = {0}; 108cabdff1aSopenharmony_ci AVIOContext *fuzzed_pb = NULL; 109cabdff1aSopenharmony_ci uint8_t *io_buffer; 110cabdff1aSopenharmony_ci int io_buffer_size = 32768; 111cabdff1aSopenharmony_ci int64_t filesize = size; 112cabdff1aSopenharmony_ci IOContext opaque; 113cabdff1aSopenharmony_ci static int c; 114cabdff1aSopenharmony_ci int seekable = 0; 115cabdff1aSopenharmony_ci int ret; 116cabdff1aSopenharmony_ci AVInputFormat *fmt = NULL; 117cabdff1aSopenharmony_ci#ifdef FFMPEG_DEMUXER 118cabdff1aSopenharmony_ci#define DEMUXER_SYMBOL0(DEMUXER) ff_##DEMUXER##_demuxer 119cabdff1aSopenharmony_ci#define DEMUXER_SYMBOL(DEMUXER) DEMUXER_SYMBOL0(DEMUXER) 120cabdff1aSopenharmony_ci extern AVInputFormat DEMUXER_SYMBOL(FFMPEG_DEMUXER); 121cabdff1aSopenharmony_ci fmt = &DEMUXER_SYMBOL(FFMPEG_DEMUXER); 122cabdff1aSopenharmony_ci#endif 123cabdff1aSopenharmony_ci 124cabdff1aSopenharmony_ci if (!c) { 125cabdff1aSopenharmony_ci av_log_set_level(AV_LOG_PANIC); 126cabdff1aSopenharmony_ci c=1; 127cabdff1aSopenharmony_ci } 128cabdff1aSopenharmony_ci 129cabdff1aSopenharmony_ci if (!avfmt) 130cabdff1aSopenharmony_ci error("Failed avformat_alloc_context()"); 131cabdff1aSopenharmony_ci 132cabdff1aSopenharmony_ci if (IO_FLAT) { 133cabdff1aSopenharmony_ci seekable = 1; 134cabdff1aSopenharmony_ci io_buffer_size = size; 135cabdff1aSopenharmony_ci } else if (size > 2048) { 136cabdff1aSopenharmony_ci int flags; 137cabdff1aSopenharmony_ci char extension[64]; 138cabdff1aSopenharmony_ci 139cabdff1aSopenharmony_ci GetByteContext gbc; 140cabdff1aSopenharmony_ci memcpy (filename, data + size - 1024, 1024); 141cabdff1aSopenharmony_ci bytestream2_init(&gbc, data + size - 2048, 1024); 142cabdff1aSopenharmony_ci size -= 2048; 143cabdff1aSopenharmony_ci 144cabdff1aSopenharmony_ci io_buffer_size = bytestream2_get_le32(&gbc) & 0xFFFFFFF; 145cabdff1aSopenharmony_ci flags = bytestream2_get_byte(&gbc); 146cabdff1aSopenharmony_ci seekable = flags & 1; 147cabdff1aSopenharmony_ci filesize = bytestream2_get_le64(&gbc) & 0x7FFFFFFFFFFFFFFF; 148cabdff1aSopenharmony_ci 149cabdff1aSopenharmony_ci if ((flags & 2) && strlen(filename) < sizeof(filename) / 2) { 150cabdff1aSopenharmony_ci const AVInputFormat *avif = NULL; 151cabdff1aSopenharmony_ci void *avif_iter = NULL; 152cabdff1aSopenharmony_ci int avif_count = 0; 153cabdff1aSopenharmony_ci while ((avif = av_demuxer_iterate(&avif_iter))) { 154cabdff1aSopenharmony_ci if (avif->extensions) 155cabdff1aSopenharmony_ci avif_count ++; 156cabdff1aSopenharmony_ci } 157cabdff1aSopenharmony_ci avif_count = bytestream2_get_le32(&gbc) % avif_count; 158cabdff1aSopenharmony_ci 159cabdff1aSopenharmony_ci avif_iter = NULL; 160cabdff1aSopenharmony_ci while ((avif = av_demuxer_iterate(&avif_iter))) { 161cabdff1aSopenharmony_ci if (avif->extensions) 162cabdff1aSopenharmony_ci if (!avif_count--) 163cabdff1aSopenharmony_ci break; 164cabdff1aSopenharmony_ci } 165cabdff1aSopenharmony_ci av_strlcpy(extension, avif->extensions, sizeof(extension)); 166cabdff1aSopenharmony_ci if (strchr(extension, ',')) 167cabdff1aSopenharmony_ci *strchr(extension, ',') = 0; 168cabdff1aSopenharmony_ci av_strlcatf(filename, sizeof(filename), ".%s", extension); 169cabdff1aSopenharmony_ci } 170cabdff1aSopenharmony_ci 171cabdff1aSopenharmony_ci interrupt_counter = bytestream2_get_le32(&gbc); 172cabdff1aSopenharmony_ci avfmt->interrupt_callback.callback = interrupt_cb; 173cabdff1aSopenharmony_ci } 174cabdff1aSopenharmony_ci 175cabdff1aSopenharmony_ci // HLS uses a loop with sleep, we thus must breakout or we timeout 176cabdff1aSopenharmony_ci if (fmt && !strcmp(fmt->name, "hls")) 177cabdff1aSopenharmony_ci interrupt_counter &= 31; 178cabdff1aSopenharmony_ci 179cabdff1aSopenharmony_ci if (!io_buffer_size || size / io_buffer_size > maxblocks) 180cabdff1aSopenharmony_ci io_buffer_size = size; 181cabdff1aSopenharmony_ci 182cabdff1aSopenharmony_ci pkt = av_packet_alloc(); 183cabdff1aSopenharmony_ci if (!pkt) 184cabdff1aSopenharmony_ci error("Failed to allocate pkt"); 185cabdff1aSopenharmony_ci 186cabdff1aSopenharmony_ci io_buffer = av_malloc(io_buffer_size); 187cabdff1aSopenharmony_ci if (!io_buffer) 188cabdff1aSopenharmony_ci error("Failed to allocate io_buffer"); 189cabdff1aSopenharmony_ci 190cabdff1aSopenharmony_ci opaque.filesize = filesize; 191cabdff1aSopenharmony_ci opaque.pos = 0; 192cabdff1aSopenharmony_ci opaque.fuzz = data; 193cabdff1aSopenharmony_ci opaque.fuzz_size= size; 194cabdff1aSopenharmony_ci fuzzed_pb = avio_alloc_context(io_buffer, io_buffer_size, 0, &opaque, 195cabdff1aSopenharmony_ci io_read, NULL, seekable ? io_seek : NULL); 196cabdff1aSopenharmony_ci if (!fuzzed_pb) 197cabdff1aSopenharmony_ci error("avio_alloc_context failed"); 198cabdff1aSopenharmony_ci 199cabdff1aSopenharmony_ci avfmt->pb = fuzzed_pb; 200cabdff1aSopenharmony_ci 201cabdff1aSopenharmony_ci ret = avformat_open_input(&avfmt, filename, fmt, NULL); 202cabdff1aSopenharmony_ci if (ret < 0) { 203cabdff1aSopenharmony_ci goto fail; 204cabdff1aSopenharmony_ci } 205cabdff1aSopenharmony_ci 206cabdff1aSopenharmony_ci ret = avformat_find_stream_info(avfmt, NULL); 207cabdff1aSopenharmony_ci 208cabdff1aSopenharmony_ci //TODO, test seeking 209cabdff1aSopenharmony_ci 210cabdff1aSopenharmony_ci for(it = 0; it < maxiteration; it++) { 211cabdff1aSopenharmony_ci ret = av_read_frame(avfmt, pkt); 212cabdff1aSopenharmony_ci if (ret < 0) 213cabdff1aSopenharmony_ci break; 214cabdff1aSopenharmony_ci av_packet_unref(pkt); 215cabdff1aSopenharmony_ci } 216cabdff1aSopenharmony_ci 217cabdff1aSopenharmony_cifail: 218cabdff1aSopenharmony_ci av_packet_free(&pkt); 219cabdff1aSopenharmony_ci av_freep(&fuzzed_pb->buffer); 220cabdff1aSopenharmony_ci avio_context_free(&fuzzed_pb); 221cabdff1aSopenharmony_ci avformat_close_input(&avfmt); 222cabdff1aSopenharmony_ci 223cabdff1aSopenharmony_ci return 0; 224cabdff1aSopenharmony_ci 225cabdff1aSopenharmony_ci} 226